Summary
Ceros has released a security update to resolve one cross-site scripting (XSS) vulnerability affecting Internet Explorer browsers and exported, self-hosted Ceros Experiences.
XSS attacks allow an attacker to run malicious javascript on another user’s browser. The malicious script could capture cookies or session tokens, or rewrite the content of the page. A vulnerability refers to the possibility of exposure to an XSS attack. Read more about XSS here.
Analysis
Ceros confirmed a Proof-of-concept (PoC) code that demonstrates a theoretical exploit of this vulnerability (PoC available upon request).
Ceros is not aware of any successful exploitation happening in the wild or of any breach of internal or customer data.
Solution
At 10 PM EDT on July 31, 2019, Ceros released a patched build to its production environment to remediate the vulnerability for any newly exported experiences. This response was immediate and the Ceros team was able to remediate this vulnerability within 24 hours of discovery.
Because exported Ceros content is no longer managed by Ceros, we are unable to retroactively apply this fix to experiences exported prior to 4 PM EDT on August 2nd, 2019.
In order to completely resolve your vulnerability, you must re-export and replace all Ceros Experiences that are hosted outside of Ceros, as well as any CDE files that you are self-hosting. Please consult our guide to exporting experiences.
If you have a large quantity of experiences to export, we have developed a script that can patch all exported experiences. This script can only be run by a developer or a system administrator. If you have such a person, please reach out to support@ceros.com for more information.
Safeguards
Ceros is performing a full root cause analysis and a formal review of security testing procedures to avoid this type of vulnerability in the future.
If you discover a vulnerability in any Ceros product, please let us know at security@ceros.com.
Should you have any questions or need help remediating this vulnerability, please email support@ceros.com.